agent-Specialization/modules
JOJO 6ee8cda2a7 feat(security): harden host execution model with sandbox/direct controls
This commit introduces a substantial security and runtime architecture update for host mode, with three major goals: (1) enforce OS-level sandboxing by default, (2) support a controlled temporary direct-execution escape hatch for admin users, and (3) eliminate silent fallback behavior that could hide risk.

Backend/runtime changes:\n- Added a unified host sandbox runner (macOS sandbox-exec / Linux bubblewrap+seccomp / Windows WSL2).\n- Converted host terminal creation to sandboxed interactive shells by default.\n- Kept run_command/run_python on the same execution policy and added host execution mode plumbing (sandbox|direct).\n- Added session-scoped direct mode with TTL auto-revert (default 10 minutes), configurable via environment.\n- Added execution mode APIs (GET/POST /api/execution-mode), host+admin gating, status propagation, and rate limiting.\n- Added runtime refresh hooks so tool calls honor TTL expiration and mode transitions consistently.\n- Removed docker->host silent fallback paths: docker startup/runtime failures now fail fast instead of degrading silently.\n- Added host sandbox prompt injection (host-only) to guide agent behavior under permission constraints.

Configuration and policy changes:\n- Added HOST_EXECUTION_MODE_DEFAULT and HOST_EXECUTION_DIRECT_TTL_SECONDS.\n- Added HOST_SANDBOX_MACOS_WRITABLE_PATHS to support user-defined writable path allowlists.\n- Updated macOS sandbox profile generation to use minimal defaults (workspace + tmp + /dev/null) plus explicit allowlist extensions.\n- Updated .env.example documentation for new execution/sandbox controls.

Frontend changes:\n- Extended permission popover to a two-column model (Permission + Execution Environment) for host admin sessions.\n- Added execution mode state/options to app state, fetching, and status synchronization flows.\n- Added execution mode switching action and user feedback toasts.\n- Kept warning emphasis via text styling only (removed warning border per UX request).

Validation:\n- Python syntax checks passed for modified backend modules.\n- Existing smoke tests passed: python3 -m unittest test.test_server_refactor_smoke\n- Frontend production build passed: npm run build
2026-05-10 19:19:01 +08:00
..
__pycache__ <fix thinking chunk> 2025-11-19 20:47:56 +08:00
admin_policy_manager.py fix(mcp): split categories by server and preserve toggle states 2026-04-27 01:42:40 +08:00
api_user_manager.py feat: add skills framework and controls 2026-02-07 00:20:35 +08:00
background_command_manager.py fix(prompt): merge disabled-tool notice into leading system prompts 2026-05-09 18:56:49 +08:00
balance_client.py fix: stop converting Kimi balance and switch Qwen endpoint to business.aliyuncs.com 2026-01-05 14:22:06 +08:00
container_file_proxy.py fix(prompt): merge disabled-tool notice into leading system prompts 2026-05-09 18:56:49 +08:00
container_monitor.py docs: refresh readme and phase2 summary 2025-11-23 21:24:09 +08:00
custom_tool_executor.py chore: sync pending changes 2026-01-05 21:48:55 +08:00
custom_tool_registry.py feat: add custom tools guide and id validation 2026-01-05 21:46:55 +08:00
easter_egg_manager.py feat: modularize easter egg effects 2025-11-22 13:07:54 +08:00
file_manager.py fix(prompt): merge disabled-tool notice into leading system prompts 2026-05-09 18:56:49 +08:00
gui_file_manager.py chore: initial import 2025-11-14 16:44:12 +08:00
host_sandbox_runner.py feat(security): harden host execution model with sandbox/direct controls 2026-05-10 19:19:01 +08:00
host_workspace_manager.py fix(prompt): merge disabled-tool notice into leading system prompts 2026-05-09 18:56:49 +08:00
mcp_client_manager.py fix(prompt): merge disabled-tool notice into leading system prompts 2026-05-09 18:56:49 +08:00
mcp_server_registry.py fix(mcp): split categories by server and preserve toggle states 2026-04-27 01:42:40 +08:00
memory_manager.py feat: index-based memory tool with append/replace/delete 2025-12-14 17:56:18 +08:00
ocr_client.py feat: update model support and multimodal 2026-02-25 01:41:05 +08:00
persistent_terminal.py feat(security): harden host execution model with sandbox/direct controls 2026-05-10 19:19:01 +08:00
personalization_manager.py fix(prompt): merge disabled-tool notice into leading system prompts 2026-05-09 18:56:49 +08:00
search_engine.py fix(prompt): merge disabled-tool notice into leading system prompts 2026-05-09 18:56:49 +08:00
skill_hint_manager.py chore: add docs and remove sub_agent 2026-03-17 22:46:43 +08:00
skills_manager.py feat: add host workspace manager, mcp-tool-config skill, and UI enhancements 2026-04-28 13:04:51 +08:00
sub_agent_manager.py fix(prompt): merge disabled-tool notice into leading system prompts 2026-05-09 18:56:49 +08:00
terminal_manager.py feat(security): harden host execution model with sandbox/direct controls 2026-05-10 19:19:01 +08:00
terminal_ops.py feat(security): harden host execution model with sandbox/direct controls 2026-05-10 19:19:01 +08:00
todo_manager.py feat: support batch todo updates 2026-01-30 18:50:02 +08:00
tool_approval_manager.py feat: add conversation-bound permission modes and tool approval flow 2026-04-11 04:07:28 +08:00
toolbox_container.py fix: improve terminal timeouts and clean outputs 2025-12-15 18:13:53 +08:00
upload_security.py feat: add upload quarantine scanning and ui toasts 2025-11-24 14:31:13 +08:00
usage_tracker.py fix: improve api error diagnostics and raise model quotas 2026-03-06 17:02:19 +08:00
user_container_manager.py feat(security): harden host execution model with sandbox/direct controls 2026-05-10 19:19:01 +08:00
user_manager.py fix: persist onboarding prompt status and bump android app to 1.0.20 2026-04-07 20:08:33 +08:00
versioning_manager.py fix(prompt): merge disabled-tool notice into leading system prompts 2026-05-09 18:56:49 +08:00
webpage_extractor.py chore: initial import 2025-11-14 16:44:12 +08:00